Labour alerts Justice Ministry to gaping security hole

9 April
2013
MEDIA STATEMENTLabour
alerts Justice Ministry to gaping security hole in its
websiteLabour’s Information Technology
spokesperson, Clare Curran, has today alerted the Ministry
of Justice of a serious security flaw in its website.

The vulnerability leaves the personal and financial
details of tens of thousands of New Zealanders potentially
exposed, and might allow a malicious person to redirect
payments to and from members of the public.

“This
is a very serious matter. This is yet another gaping hole
in the security of a major government site, with privacy and
financial implications for a huge number of people,” says
Clare Curran.

The security flaw allows access to
Ministry of Justice passwords and databases, via a publicly
accessible search engine on its website.

“The
Ministry of Justice holds incredibly sensitive data –
including information about the victims of crime. The
Government has a fundamental duty to protect that
information. This flaw, if exploited, could have a
devastating effect on thousands of people.

“Earlier today I wrote to the Ministry of Justice, the
Minister Judith Collins and the Privacy Commissioner
alerting them to the issue, which must be addressed
urgently.

“This matter was brought to my attention
by a whistle-blower. That person has agreed to help the
Ministry of Justice in any way they can to ensure the
security flaw is fixed.

“This is the latest in a
disturbingly long line of information technology security
flaws and privacy breaches. There is clearly a major
systemic problem with IT security.

“In the past
two years more than 100,000 Kiwis have had their privacy
breached by government agencies, including the ACC, MSD, IRD
and EQC. This is an issue of public trust and confidence in
government systems.

“The National Government needs
to treat this matter with the seriousness it deserves, and
stop hiding behind human error as an excuse for not
protecting people’s private information,” says Clare
Curran

Ministry of Justice security flaw Q and
A

What is the nature of the
security flaw?The flaw allows access to
what appears to be Ministry of Justice databases covering
licences and fines. Those databases would likely include
the personal details of many victims of crimes.

Access to the page containing passwords for the
databases was found via a publicly accessible part of the
Ministry of Justice website.

How serious
is this vulnerability?This is a serious
flaw. The passwords were contained in a plain text file,
and those passwords could be used to access incredibly
sensitive information, and could potentially allow someone
to alter fines payments and financial records.

The
MoJ website is very vulnerable to anyone who is serious
about trying to break into it. The MoJ website’s security
is nowhere near an acceptable standard.

Potentially how many people’s information
is at risk because of this problem?That is
not clear. But the databases in question could include
information about people that the Courts have imposed a fine
upon, and any victim of crime that is receiving reparations.
At the very least the databases also hold the details of
those with licences issued by the Ministry of Justice.

How did Clare Curran become aware of the
issue?Clare Curran was contacted by a
concerned member of the public, who identified the
vulnerability. That person contacted her in the hope that
she could help expose the problem and get it fixed.

The whistle-blower did NOT access the Ministry
databases, but did view the plain text file that contained
the passwords. This confirmed the seriousness and extent of
the security issue. This file has been passed on to the
Ministry of Justice.

Clare Curran will not be
publicly identifying her source, but they have agreed to
help the Ministry of Justice to address this problem.

The quashing of the convictions of Teina Pora for the rape and murder of Susan Burdett in 1992 has shone a spotlight once again on a major gap in the New Zealand justice system.

To all intents and purposes, access by New Zealanders to the Privy Council has now been closed. Yet the number of times in recent years when the Privy Council has quashed the findings of New Zealand courts has demonstrated that we are regularly(a) jailing the wrong person or(b) arriving at guilty verdicts on grounds sufficiently flawed as to raise serious doubts that a miscarriage of justice has occurred. More>>

ALSO:

WorkSafe NZ has laid one charge against the Ministry of Social Development (MSD) in relation to the shooting at the MSD Ashburton office on 1 September 2014 in which two Work and Income staff were killed and another was injured. More>>

New Zealand First Leader Winston Peters has announced his intention to stand in the Northland by-election, citing his own links to the electorate and ongoing neglect of the region by central government. More>>